"As we wrap up our four-month Rolling Review series, we do want to
award some partial credit. While only IBM's WatchFire AppScan
automatically handled our Ajax applications, Acunetix Web Vulnerability
Scanner, Cenzic Hailstorm and Hewlett-Packard WebInspect (post-update)
were capable of analyzing and detecting vulnerabilities in the Ajax
application, albeit only when we manually walked them through the
relevant bits.

Unfortunately, that's just not good enough. Much of the value
of a scanner is that it's a repeatable, exhaustive crawler. Requiring a
human to replace the automated spider reduces the code coverage, and
thus the effectiveness, of the scanner. So while we don't give those
products a complete failing grade, they have a ways to go before they
can claim to be truly Ajax-capable. Until then, expect to dig into code
manually. "